There's been an increase in USPS-themed spam emails hitting users with three different types of malware. These three pieces of malware are designed to infiltrate the victim's system and steal all valuable information. In order to try and trick users into downloading the attachment, the malicious emails have various subjects and body messages that reference to missing or late USPS parcels.

If users are convinced the message is legitimate, download the attachment, and launch the file, their computer will be exposed to malware designed to commandeer their computer and steal their financial information. The three types of malware the attachment contains are different in design, but all work to compromise the user's security.

The first type provides the attacker with remote access to the infected machine which gives them full access to it. A fileless malware, or malicious code that exists only in memory, is also used and has the ability to execute code directly through the registry - the database that contains the settings for the hardware and software in the computer it's installed in. The final piece of malware scans the computer for any kind of information the attackers believe to be valuable and transmits it to their server for use in further attacks. When used collectively, these three types of malware will take hold of your machine and drain your bank accounts.

Always be wary of suspicious looking shipping notices arriving via email, and never install files received in an attachment without being certain of their origin. As yourself if you're expecting a package. If you're not expecting any, do not click on the attachment no matter how legitimate the email may look. Another option is to contact the USPS directly - not replying to the email - and ask about the email and package in question. They should be able to inform you if you have a package waiting for you or not.

A phishing email has been discovered going around on campus through compromised accounts:

The email address looks legitimate, and the grammar is decent - two red flags have been removed when it comes to spotting phishing emails. Those that click the link are taken to, what appears to be, the Microsoft Office 365 or Microsoft Outlook login page. When a user inputs their credentials, they're actually giving the attackers their login information instead of signing in. Once the attackers have their credentials, they can log into the account, go through the victim's contacts, and send out massive spam messages similar to the one seen above - starting the process over again. Below is an image of the login site the link takes users to:

Looks legitimate, doesn't it? However, there are a couple things that lets users know it's a phishing site. Firstly, the URL is wrong. Instead of the URL being https://login.microsoftonline.com, it is http://loisirs77[.]fr/member/bonaventure.edu. Also, the login page contains the HTTPS preceding the rest of the URL, signifying it is a secure page while the phish does not. There's another hint it's a phishing site if you're looking very closely. At the bottom of the screen, it says the copyright is from 2016, not 2017 like it does on the current login page.

Tech Services will never ask you to validate your account like this. If you receive an email from someone you know that contains a link, stop and think! Are you expecting an email from them? Hover over the link and look at the web address. Will it take you where it says it's going to? Does the web address look legitimate? If you click on the link, look at the webpage. Is there a secure connection if it's asking for your credentials? Does the URL look legitimate? Scan the webpage carefully. Is there anything else off about it? Even if the email is from someone you know, always be wary of unexpected links.

An app giving users access to the latest Android software releases on Google Play? Sounds like good news, especially to those that have older versions of Android. However, users that download the app will not receive the latest update, but they will install spyware called SMSVova which is designed to send the user's location to attackers instead.

Despite the promising looking app, there were several red flags. The screen shots provided were blank - which is uncommon. Also, there is no proper description provided for it, nor does it mention it will send location information to a third party. Many reviewers complained the app slowed down their phone without providing the promised update.

When users try to start the app, it quits abruptly while displaying the message: "Unfortunately, Update Service has stopped." The app then hides from the main screen, but it hasn't actually stopped working.

The spyware sets up an Android service, which allows the app's processing to be done in the background, and a broadcast receiver, which responds to an intent and executes it, to fetch the last known location of the user and scan for incoming SMS messages for a certain message from the attacker. These messages contain more than 23 characters and have "vova-" in the body, and the spyware scans for a message including "get faq". This request allows the attacker to run simple commands, including the ability to protect the spyware with a password. Another feature the attacker could set up is to send the current location of the user if their battery is running low. The specific purpose behind the spyware is unknown, but the information gathered could be used for any number of malicious reasons.

Google has since removed the app, but not without 1 million to 5 million downloads since 2014. Users should realize that software updates will not come through an app. If your phone is compatible with a recent software release, Android will give you the option to update manually.

Those that have installed the system Update app should consider wiping their phones and starting fresh.

A new phone scam spoofing the Health and Human Services Office of Inspector General (HHS OIG) has been making its rounds. Scammers are able to clone the HHS OIG hotline on the target's caller ID in order for the call to appear legitimate. This way, confidential information may be easier to obtain.

The caller poses as an HHS employee that works in the "Federal Grants Department", or in a similar department. Then, they typically tell their targets they are eligible for a grant from the federal government because their taxes were paid on time. The person being scammed is then told all that is needed to receive the grant is confirm their identity by providing their name and Social Security number or bank account number, and then pay for the processing fees. To pay for the processing fees, $250 can be wired through Western Union, or they can give the caller the confirmation code for a $250 iTunes gift card. This should be a red flag since our government does not accept payment in gift cards.

The scammers do not offer the faux grant every time. Other times, scammers are calling under the same alias to see if you will confirm your personal information.

The HHS OIG hotline does not use its phones to place outgoing calls. Their hotline only receives calls. Also, the federal government will never call you to request or confirm information. in order to receive a grant, you must apply for one; the government will not give out a grant as an incentive.

If an unknown individual calls you over the phone, never confirm your name or give any personal information out, such as your Social Security number, date of birth, credit card or bank account information, driver's license number, or your mother's maiden name. Even if they sound authoritative, do not give them the information. Confirming sensitive information should not take place over the phone.

When filling out FAFSA forms, people tend to use the Data Retrieval Tool to import tax information from the IRS and automatically populate the application with those details. this past fall, it was discovered that attackers could possibly take advantage of this tool, and they might use the stolen data to file fraudulent tax returns and steal refunds. Despite this possible threat, the tool remained available because up to 15 million people utilized it.

The Data Retrieval Tool was shut down in March after an unusual amount of uncompleted forms were discovered - a sign of an attack. Hackers posed as students by obtaining personal information outside the tax system and used the tool to access tax returns. the data gained from these returns were used to file for tax returns. Questionable tax returns were filed by people who had used the tool, and those returns have already been stopped. Though, the IRS suspects about 8,000 fraudulent returns were filed, processed, and refunded for a total of $30 million.

The shutdown also affects those applying for an income-driven repayment plan. Those applying for an income-driven repayment plan should submit alternative documentation of income to their federal loan services after they complete and submit the online application. The process of submitting alternative documentation of income is explained as a part of the online application.

While the Data Retrieval Tool is unavailable, the applications are still available and operable. The information needed to complete the FAFSA or the income-driven repayment plan can be found on the 2015 tax return. If one is not available, you may obtain a transcript through Get Transcript Online. If you also need access to your credit report, follow the steps provided by the Federal Trade Commission to acquire a free copy.

The extend of the breach is unknown, but the IRS is in the process of contacting 100,000 taxpayers to inform them their data may have been compromised. So far, they have sent out 35,000 letters to potential victims. If you have used the Data Retrieval Tool this year and have not received a letter, be sure to reach out to the IRS to make sure no fraudulent returns were filed under your name.

If you have been notified, contact one of the three Credit Reporting agencies: Transunion, Equifax, or Experian. Notify your bank and credit card companies of what has happened. If you do online banking or manage your credit card accounts online, place alerts on each account so you'll be notified of any transaction. Also, visit IdentityTheft.gov for any further assistance you may need.

The IRS is planning to launch a more secure version of the tool for the next application cycle in October.

A malicious plugin has been discovered on 4,000 WordPress websites. This plugin, named WP-Base-SEO, is a forgery of the legitimate search engine optimization plugin called WordPress SEO Tools. Search engine optimization, or SEO, maximizes the number of visitors to a website by ensuring the website appears high on the results list returned by a search engine.

The plugin's intent is to hide in plain sight so users don't suspect anything. Some of its code is taken from an existing SEO plugin, and it contains a reference to the WordPress plugin database along with documentation on how the plugin words to make it appear legitimate.

It's likely that the plugin is being installed via mass automated scanning of WordPress sites where attackers are looking for outdated plugins or WordPress themes. One way researchers believe attackers are getting in is through an outdated version of RevSlider which has been tied to several website compromises in previous years. Other ways attackers could be getting in is by using stolen credentials or using brute force attacks against the website.

The forgery runs an eval request, commonly used for malicious purposes to create a back door, which allows attackers to execute arbitrary code. Executing arbitrary code gives attackers the ability to execute any command of the attacker's choice on a specific machine.

Even though 4,000 websites have been infected with this form of malware, a search on the plugin name will not yield any results, suggesting it's flying under the radar of malware scanners.

If you're an administrator for a WordPress website, you should check the installations for suspicious files often. If WP-Base-SEO or any suspicious plugin is found in the plugin directory, it is best to delete the entire folder and reinstall a clean version of it from the WordPress admin dashboard or by downloading it directly from WordPress.org.

Currently, the purpose behind this plugin has not been revealed. However, attackers usually break into websites in order to gain access to the database to send out spam emails, gain access to the administrator's sensitive data such as credit card information, or cause the website to download malicious software onto the end user's machine.

About a week ago, several Skype users reported a fake Flash Player ad that is used to download ransomware, and possibly other forms of malware, onto Windows machines. The fake ad appeared on the Skype app's homepage as one of the in-app ads that it usually serves to its users. When it's triggered, the download is designed to look like a legitimate app.

The fake app offers to download a file named FlashPlayer.hta. When the file is opened, it would then download a malicious payload. The HTA file is one of the preferred attachment types for the distribution of well-known forms of ransomware.

The attackers use one of many disposable domains in order hide their operations. Attackers will purchase dozens of domain names at a time, some of which are active for a day or so before it's replaced with another. This prevents common security tactics, such as domain blacklisting, from working, and it keeps the attackers' malicious activity running for a longer period than if they relied on one domain. Also, it makes it more difficult for security vendors to protect against this type of approach since after one domain is taken down, another takes its place and continues the spread of malicious activity. Since these domains only last for a short time before being blacklisted, they are often referred to as disposable domains. Microsoft is aware of this situation and urges users to exercise caution when opening links and attachments from both known and unknown sources.

If any software asks for updates, always download it from the official website, never through an ad. For the latest version of Adobe Flash Player, visit: https://get.adobe.com/flashplayer

If you found the lock broken on your door, you wouldn't shrug your shoulders and risk someone breaking in. You would implement the necessary means to get it fixed. So why isn't this the thought process applied to software updates when it's virtually the same concept?

While updates may appear to be bothersome, most of them relate to the computer's security and protect it against vulnerabilities found in the software. Implementing updates is important to help keep your computer safe from malicious software since vulnerable software is one way for attackers to infect your device. You can check to see if any software needs to be installed on your computer by checking the lower right corner for Windows for the update icon:

All software is vulnerable. since software is produced by humans, and like anything else developed by humans, it's flawed with unintentional mistakes which can open windows to cyber criminals. Developers may not even be aware they are making security holes while delivering a working software product. Because of this, bugs will be undiscovered once the finished product is delivered. When they are found later on, a patch will be made and sent out as a needed update. software developers can try and take the time to build the perfect software, but this would take a very long time, if not forever, and the product must be delivered at some point.

The best way to make sure necessary updates are installed is to either turn on automatic updates on your computer or implement them as soon as you can. Also make sure to restart your computer after all patches have been applied, as shown above. Postponing security updates hinders the security of any product.

On March 23, 2017, I had the opportunity to interview Tien Ha, a computer science student here at St. Bonaventure, on issues commonly seen at the Help Desk.

What are some of the common computer issues that you have seen/ deal with day to day that relate to security and how do they affect the computer's security?
Some of them most common [issues] I've seen working for tech services are simple malware infections, viruses, pop ups...all those things could affect security. I've seen staff and faculty [send] us emails what they think is suspicious; that they think it might be a scheme - like a phishing scheme. Another rare one that we've seen is what you call ransomware. The [get a hold] of your files and they lock it, and you don't have access to it unless you pay them. That's something that definitely affects security because you are vulnerable to these attacks and there's no way around it. You either pay or it deletes the file, that's it.

Mac users can tend to think they can't get infected with malware, or that they're safe. What can be said about this?Definitely untrue. When people say Macs can't be infected, that's absolutely absurd; it's unreal. It's just that when you think of cybersecurity, it's the target base. There's obviously a lot more [Windows users] than there are on Mac OS, so obviously the attacker will for got the bigger group of people. There's a low population using [Macs]; it doesn't make too much profit to attack Mac users.

Recently, we've seen an increase amount of Macs that are infected with pop ups, malware, and viruses. They are vulnerable to attacks. Macs aren't safe.

Some people think that if they have antivirus they're safe, or it can't happen to them. what can be said to help users realize nothing is infallible?
Having antivirus reduces the chance of you getting infected. Nothing is 100%. Even when it comes to bacteria, there's nothing that will kill everything. There's always a chance you'll get infected. Nothing's perfect. You can't just block everything out, otherwise you won't have any communication on the Internet, and the Internet is a big wide web and anything can happen when you have that large scale.

In my research, hackers have been finding ways to get around the antivirus.
Exactly. When I think of antivirus, I think of vaccines. You're injected with that virus and when it does [attack], it eliminates it. That is what antivirus is pretty much doing. It holds [data on] malware for a potential attack, and when it does attack it can detect it and say "This is probably malware, you should probably get rid of it." But if new malware came out, that antivirus won't have it so it won't recognize it. You are vulnerable at all times.

Are there any other tips or suggestions that you would give college students that could help prevent security issues?
I would just say common sense. Don't put your password out there where people could easily have access to it.

I would suggest using google Chrome [or one of the higher end browsers] because they have a lot of plugins that help limit pop ups, so preventing malware. Some other ones would be to not store your password on your browser because if your browser is compromised, the person who compromised your computer will have access to all your accounts. You don't want that to happen with your back accounts or emails and [important] stuff like that.

If you are lazy and you don't want to type your password in all the time, I would suggest [using] the check mark for some websites that says "Keep me logged in." It's better to keep yourself logged in at all times than to save your password on your browser. Update your antivirus, update your operating system...it'll keep it in check and keep some bad stuff from happening. Common sense is the most important thing.

Thank you Tien for coming in for the interview and providing insight and tips!

Malvertising, or malicious advertising, is when attackers use online advertising to distribute malware. Attackers utilize an invisible webpage element in the ad's code to direct the user's computer to criminal servers - just by visiting the webpage where the ad is hosted. Then the servers catalog details about the computer and selects a certain type of malware to plan on the device - 70% of the time ransomware is installed.

Not only is it designed to strike without your knowledge, but it also lives on trusted websites with high user traffic. Some websites where malvertising has been found include the New York Times, the BBC, MSN, the NFL, Yahoo, and AOL.

In order for businesses to advertise online, they must sign up with a network and then bid to have their ads appear on popular websites. Since not all advertising networks have strict criteria for advertisers, malicious ads go unchecked. Also, ad sellers don't always know the buyers because more of the transactions are becoming automatic. Plus, some ad sellers allow newcomers in for cheap prices.

Attackers don't always apply malvertising right away. Some display good ads for a while before switching to the ads that contain malicious code in order to fool ad networks. This makes it difficult for ad networks to anticipate or detect them.

While there aren't any ways to prevent your computer from getting infected from malvertising, there are ways to try and stay away from it. Downloading an ad blocker can filter out a lot of malicious ads. Always make sure to keep your computer up to date. Malvertising is designed to find security flaws in software, operating systems, and browsers. Running an effective anti-exploit program can shield these vulnerabilities. Also be sure to remove any software you don't use or need, especially Flash or Java. If you need to use Flash or Java, enable click-to-play on your browser. This keeps it from running unless you specifically tell them to. A good amount of malvertising relies on exploiting these plugins.

The scam appears as a seemingly valid pop up from Chrome. This occurs when users utilize search engines or links on social media to visit compromised, legitimate WordPress websites that contain injected code. Due to poor website protection, hackers are able to place the injected code within the site, modifying the text rendering. This causes the font to appear as mis-encoded text and random characters. The pop up warns the user that "The 'Hoefler Text' font wasn't found," and then provides an upgrade, Chrome_Font.exe, to fix the outdated Chrome pack, as shown below:

Usually, this warning sign indicates the file is malicious. If the user ignores the warning and executes the downloaded file, either a Trojan will be installed or Spora, a type of ransomware, will infect the computer.

Always make sure to look before you click since few antivirus programs can detect this type of malware! If you know what version of chrome you are using, check it against what the pop up says you're running. The pop up has the version of Chrome hardcoded as version 53. Check the filename of the download and compare it with what the pop up says should be the filename. The download's name will be hrome_Fontv7.5.1.exe, not Chrome_Font.exe.

Chrome does use Hoefler Text, although it's not used very often, and scammers try to take advantage of this with this scam. Be aware that Chrome's font pack already has every font you need, so there is no reason for Chrome to prompt you to download a missing one. If a font is missing, Chrome will automatically choose a different font to display instead.

A scam on Facebook is targeting Google Chrome users, and it is being spread through the Messenger via a friend's hijacked account.

The link appears to be a photo saved in the SVG format, and the filename set up is photo_[random numbers].svg. Some of the commonly seen filenames are photo_4837.svg, photo_999.svg, or photo_8470.svg. This link is then paired with a phrase that will try and spark enough curiosity for the user to click on it, including variations of "Look at this!", "Is this you?", or "My Newest Video."

Do not download it! The extension will either download malware to steal sensitive information or install ransomware on your device. Facebook is trying to monitor this link; however, this shouldn't stop you from double checking what you receive in your messages.

A more recent variation of this scam includes a "YouTube" link, either sent via the Messenger, posted to the user's timeline, or the user is tagged in a post with the link such as the image below.

The link is allegedly to a friend's video which is usually titled "My first video," "My video," or "Private Video." clicking on this link will take users to a faux Facebook login page and asks users to re-login before the video can be viewed. Entering in the login information will allow scammers to collect it and hijack the account. This gives scammers the ability to use the account to launch scams, malware campaigns, spam, and gives them the ability to send more "YouTube" links to the user's friends, thus starting the cycle over again.

What is ransomware?
Ransomware is a type of malware that encrypts the victim's files and prevents access to them. Once the files are encrypted, an image or a message will be displayed saying the user's data has been encrypted, and it demands they must pay a specific amount of money within a certain time frame to obtain the key to decrypt the files. Not paying the ransom in the time allotted will either double the ransom or the data will be destroyed. A version of the message may appear as a police warning, saying the user has visited a website with illegal content and threatens arrest if the amount displayed is not paid.

Most of the time, the payment is asked to be made in Bitcoins since this crypto-currency cannot be tracked by law enforcement or cyber security researchers. Or the attackers may ask the victim to pay via MoneyPak - a prepaid card available in several retailers.

The encryption used is unbreakable which can sway users into paying. However, if the ransom is paid there is no guarantee the key will be given to you.

While it's not as common for Macs to be infected with ransomware, it's still possible. Within the past year, the first Mac computer was found to be infected with ransomware, and the number of infected Macs has been slowly climbing.

Ransomware targeting the Android operating system has increased about 50% in the past year. Since more people are using their smartphones instead of their PCs, it makes the mobile operating system a more worthwhile target. The perpetrators keep a low profile by encrypting the malware deep within infected apps.

Jailbreaking and iPhone moves away from the built-in protection offered by the default system, allowing users more freedom such as downloading apps from third party app stores. However, this leaves it vulnerable to security threats. In 2015, ransomware entered jailbroken iPhones through Cydia, an unauthorized app store which allows people to download apps that didn't meet Apple's guidelines.

How is ransomware spread?
Ransomware can be spread much like any other type of malware - through emails containing malicious links or attachments, online advertising designed to spread malware, or through SMS messages on mobile phones. Other ways ransomware can be spread is through security exploits in software. If you visit a malicious site, the ransomware will be able to use a security exploit to infect your computer. Ransomware can also spread via an infected computer through Wi-Fi and Bluetooth which can infect other computers on the same network.

Won't an antivirus program detect it?
No. Ransomware encrypts its communication between the program and the perpetrator's server in order to stay hidden from antivirus and law enforcement agencies. The encryptions ransomware contains also makes it more difficult for the antivirus to see it includes malware. Also, ransomware has the ability to remain inactive until the computer is at its most vulnerable point.

What can be done to prevent ransomware attacks?
Some of the most common advice given in avoiding malware is making sure systems and applications are up to date, back up your files on a regular basis to an external drive and/ or a cloud service, don't click on suspicious links or attachments sent to you via email or social media, and keep macros disabled in Microsoft Office. Macros is an instruction that expands automatically into a set of instruction to perform a certain task and can be a security risk. If you open an attachment from a questionable email and it asks you to enable macros in Microsoft Office, don't do it! It will install the ransomware.

There are other tips you can follow to make sure you keep your computer safe. Make sure to have modern antivirus with malware protection that is updated and actively runs in the background, or use an antimalware solution that has ransomware behavior detections. Stay away from questionable websites. Also, be careful what you download from the internet. Only download from websites you know and trust, else you could risk downloading ransomware. Be sure to remove outdated plugins and add-ons - these could be security exploits that ransomware could use to infect your computer. If your computer is already infected, be sure to disable the Wi-Fi and Bluetooth capabilities to keep it from spreading to other machines.

What kind of software is available to detect it?
There are several anti-ransomware programs available, some of which are free. For Windows users some of the more recommended programs are RansomFree, BitDefender, CryptoPrevent, HitmanPro.Alert, Zemana Anti-Malware, and Malwarebytes Anti-Ransomware. Mac users can utilize RansomWhere?

Some reviewers for these programs recommend to pair it with an antimalware solution since the software will not detect everything.

Following the stated safety tips and only opening files from trusted sources can help in preventing a ransomware attack. However, the best means of protection is to ensure a backup of your files is kept on an external drive or a cloud system separate from your computer. This way, even if your computer does become infected, your files are still available.

Shopping with your phone may be easier, but it could be dangerous for your credentials. Since shopping on smartphones is becoming more popular, scammers are taking advantage of this by building fake apps to impersonate well-known retailers to steal your information. The apps themselves can look legitimate and promise special deals or features. However, these apps are meant to download malware onto your device or steal your information.

Before installing an app, be sure to review the permissions it needs and try to correlate each one back to some feature or function of the app. Reliable apps will state why these permissions are needed. Apps like Amazon may need access to your camera to be able to post photos for reviews, but if a shopping app says it needs access to your social media accounts may be questionable. Also be sure to look at the reviews. How many reviews are there? Do the number of negative reviews outnumber the positive ones? Apps from retailers will have thousands of positive reviews that greatly outnumber the negative ones. Fake apps may have a few reviews, but most of them will be negative.

Developers have until March 15 to implement a privacy policy or remove the sensitive permissions. Else, Google will either limit the visibility of offending apps or remove them. Many harmless apps will probably be removed from the Play Store due to developers who either don't know how to implement a privacy policy or don't care to make one.

This will help Google clean out dead apps, bad apps, apps that are designed for malicious attacks like some fake shopping apps, and have active apps update their policies and permissions in the Play Store. While this would help increase user security, fake apps will still find ways to pass through the enforced user data policy since Google lets anyone publish an app. Apple and Microsoft, on the other hand, review the app's code before it's allowed to be published, providing better security.

Another means to look out for illegitimate apps is using mobile antivirus from Avast, BitDefender, Kaspersky, Sophos, Symantec, or TrendMicro. These antivirus apps are designed to protect your phone from malicious apps and are able to detect malicious activity from them for you.

Even though it's not always thought of, smartphones are computers. When using both devices, you must think of what should be done to keep your information safe.

On December 8, 2016, Tech Services conducted a test phishing scheme among employees by sending out a fake phishing email. The faux email contained a harmless link that merely kicked the user back to Microsoft.com when clicked on.

Out of the 780 employees tested, 86 people clicked the link - approximately 11%. However, of the 86 people that clicked the link, some clicked it more than once which brought the total number of clicks on the link up to 113.

If you would like to know how you did on the test, feel free to contact Steven Jarbeck and he will share your results with you.

Scam artists are calling their targets, claiming to be computer technicians from Microsoft or other well-known companies, hoping to gain access to their computer. The scammers will claim they have detected viruses or other forms of malware on the target's computer to trick them into giving them remote access or paying for software they don't need. This software is either useless, available for free somewhere else, or malware.

Don't give control of your computer to a third party who calls you suddenly! Microsoft or their partners will never call to charge you for computer fixes.

A variation of this scam involves pop ups saying your computer is infected and urges you to call the number shown on the screen. These pop ups may look similar to the images below:

What is two-factor authentication?Two-factor authentication is a method that uses two different techniques to protect your identity. This first factor is typically something only you would know, like a password. Examples of the second factor include USB tokens, cell phone text messages, phone callbacks, and authenticator apps. By not only requiring your password, but a secondary that randomly generates a key to confirm who you are, it drastically lowers the odds of someone breaking into your account.

How would I benefit from it?
There are many ways you would benefit from it. Many of our accounts are tied to our bank and credit card information, like Amazon. Two-factor authentication would provide a means of making sure that kind of information stays safe and out of hackers' hands. It's the same idea when it comes to using it for your email and social media accounts. Emails may contain sensitive information, and if an attacker gains access to your account, not only do they have access to your emails, but to your contacts as well. By using it with social media, you would be protecting your personal information.

What does it take to do this?
First, you must check to see if the website provides two-factor authentication. An extensive list can be found here: https://twofactorauth.org/. Some of the websites only provide a certain means for the second factor, the most popular being text messages or code generators. If this is the case, you can turn on two-factor authentication under account settings or account options and add your phone number. Among these websites, some allow authentication through a third party app, such as Google Authenticator. The third party app integrates with the site and offers a constant set of rotating codes that can be used whenever they're needed, even offline. This allows users to have one code generator instead of using one per site.

For those that don't have a smartphone, some websites call you to give you the verification code. Be sure to verify the websites allow this, most of them only send text messages.

What happens if I lose my second factor for authentication?
Once you sign up for two-factor authentication, there are backup codes available that should be printed and kept in a safe place just in case this happens.

When setting up for text messages or phone calls, some websites allow you to set up backup phone numbers to receive calls so you can gain access. Others will only allow these backups to receive text messages. Some, however, only allow the backup codes they provide initially.

If you lose your USB token, refer to the backup codes originally provided to log in. Once logged in, you should immediately revoke the token that was lost.

Anything else I should be concerned with?
It will take longer to log in. Two-factor authentication isn't the same as typing in your password and getting in quickly. The extra step can take some time, but it would be time well spent.

Also, be sure to check your accounts regularly. Keep in mind that even though it lowers your chances of having your information stole, it does not eliminate your chances. It is still possible for your accounts to be compromised, although it's slim.

In the end, two-factor authentication is something that should be considered greatly. It offers a means of protection that will protect your information more so than a single password.

Recently, we asked students and faculty to take a short quiz about phishing and the methods used. The quiz contained questions from what to look for in an email to information that is considered sensitive. Out of the people we asked, 473 of them completed the quiz. The results are:

We want to thank everyone who participated in the Phishing quiz. We’ll use the results as a baseline to guide us in tailoring an awareness campaign. More information to come. Please check www.sbu.edu/sec-blog every Tuesday and Thursday to see the latest news and threats.

While the IRS Impersonation Phone Calls still manage to trick people into handing over their personal information, scammers have found other phone call methods to utilize. These are:

The “Federal Student Tax”:Scammers impersonating the IRS try and contact students to convince them they must pay the “federal student tax,” even past the tax deadline. If the victim does not cooperate, they are threatened to be reported to the police. The IRS will not call to demand an immediate payment over the phone, nor will they threaten to bring in law enforcement. They also won’t call about taxes owed without having mailed a bill first.

“Verifying” Tax Return Information on the Phone:The scam artist will call saying they have your tax return, and they need to verify a few details to process the return. This scam attempts to try and give up personal information such as your Social Security Number or financial information.

The IRS does not ask for any sensitive information over the phone such as your Social Security Number, credit card information, or bank information.

As time moves on, scammers are aware they can’t always rely on the same tactics to get ahold of the information they want. Their goal is to try and catch people off guard, and to do that some of their approaches must change. A couple of these methods are:

Phishing:Official looking emails are sent to trick taxpayers into thinking they are official communications from the IRS or others in the tax industry, such as the Taxpayer Advocacy Panel (TAP). These schemes can ask their potential victims a wide range of topics such as information relating to refunds, filing status, confirming personal information, ordering transcripts, and verifying PIN information. When the links are clicked on, the person is taken to sites that are designed to appear like an official website. These sites ask for their personal information. Not only will the victim’s information be stolen, but these sites also may carry malware. A variation of this scheme is sent via text message.

The IRS won’t send emails or texts to contact taxpayers about tax issues. If you’re questioning whether or not it was sent by the IRS or another organization, examine the link before clicking on it.

False CP2000 Notice Related to the Affordable Care Act:Scammers are taking advantage of the confusion about Obamacare by sending out these false notices. These fake documents are included in an email attachment. In addition to the “payment” link in the email, the fake CP2000 includes a payment request that the taxpayer must mail a check made out to “I.R.S” to the “Austin Processing Center.” The actual form is not a bill and only informs taxpayers of the proposed adjustments the IRS wants to make. Also, those who want to see if their notice is legitimate, they can visit: https://www.irs.gov/individuals/understanding-your-cp2000-notice